I saw a great process safety article in InTech magazine titled, When failsafe isn’t enough. It give a “howto” approach to volume tank sizing for reserve air pressure required for an orderly safety shutdown.
The author describes some cases where this reserve air volume might be needed, such as when failure position of safety valves are not in the failsafe condition or when operating conditions require and orderly, sequenced shutdown.
The equations to size the volume tank are given as well as who would typically supply the equation parameters. For instance, the valve supplier typically supplies the safety valve torque requirements and required leakage rates. The actuator supplier provides the torque-to-supply pressure tables. The good news for those of us a little rusty in our advanced math skills is that the equations are algebraic and the simplifying assumptions err to the side of conservative volume sizing.
I sent a link of this great article to Emerson’s Len Laskowski, whom you may recall from earlier process safety posts. Len is a principal technical consultant, registered professional engineer, and certified functional safety expert (CFSE) and TÜV CFSE.
Len added that many engineers will tend to the conservative side and size the volume tank for several strokes of a valve, even if it needs to operate only once in a single stroke. This is mainly because extra capacity is relatively inexpensive, especially to mitigate the risk of a larger hazard.
He shared a reactor emergency depressurization example as a typical application where you might find volume tanks. Len wrote:
Typically, if this is a safety instrumented function (SIF) you want de-energized to trip failsafe. The emergency depressurization valves are Fail Open on loss of air. A spurious trip of this system would be bad news as the author suggests. It could create secondary hazards as is suggested in IEC 61511 that need to be identified.
For example, if the air failure was extensive a large number of vessels all depressurizing at once could overload a flare system. Too quick a depressurization of some chemicals could cause auto refrigeration that could lead to a cooling of the vent piping below design spec and the hazard of pipe embrittlement.
In some reactors, it would possibly blow catalyst out the vent system and possibly put stress on reactor beds, or trays that could damage the internals of the vessel, due to the large pressure differential caused by the emergency depressurization. These secondary issues also need to be managed and are reasons why volume tanks are needed.
Len has worked with process manufacturers to address some of these issues:
In some cases, a nitrogen or air bottle backup system would be used that have much more capacity than a volume tank. I have also seen cases where nitrogen is automatically switched in to back up a valve. This can be done by having a 3-way valve hooked up so that the common goes to the final element, one side goes to Instrument air and the other nitrogen.
You need some check valves to guard against reverse flow and have the valve actuator off the Instrument air so that it cuts off the nitrogen when instrument air is present. This is also a good setup when you have air motors that need a lot of air (gas) that need to move big valves. With nitrogen’s toxicity in sufficient concentrations, these applications are generally outdoors, well ventilated, and require close review.
Len complimented the author on his article and added a few more considerations for process safety professionals. He wrote:
Other considerations that may be overlooked are common mode failures and testing. Typically, one would put two check valves in the system because failure of one would allow the tank to bleed out to the plant header. Also, care must be taken that the air is clean and no dirt is allowed to get to the check valves, so a filter/ separator is really required to ensure that the check valves have a good opportunity to operate.
Facilities to isolate the volume tank from the air supply and bleed the air upstream of the check valves are also required not only to check that the system works initially but also for future proof testing. Typically, these systems should be checked at the same time the safety instrumented system (SIS) is proof tested. This is an easy item to overlook and needs to be put on the testing schedule with the SIF’s it supports.
I hope between the author’s original article and Len’s additional thoughts that there are some pearls you can apply in your process safety efforts.